During transmission of information from a sender to a receiver, for example in a system including hand-held devices, there are basically four aspects that need to be fulfilled for obtaining a secure transmission with regards to authenticity, integrity, confidentiality and non-repudiation. However, confidentiality, i.e. that the information is kept secret during the transmission, is crucial in the field of digital communication, for example in financial transactions or in e-commerce. This aspect, as well as the other aspects, can be met by using cryptography.
When using cryptography or a network security algorithm based on cryptography, random number data is used for different reasons and play an essential role. For example, random numbers are frequently used as encryption keys or for generation of encryption keys. Furthermore, random data is by definition difficult to determine or guess.
Common methods of cryptography include symmetric encryption and asymmetric encryption. When using symmetric encryption, the same key is used for both encryption and decryption. The encryption key is used in conjunction with an encryption algorithm, and different keys will result in different outputs from the algorithm. The degree of security of the encrypted message depends on the secrecy of the key and therefore on the random number used as the key or for generating the key, not on the secrecy of the algorithm. This makes it possible to use powerful standard algorithms, such as AES (Advanced Encryption Standard), DES (Data Encryption Standard) or IDEA (International Data Encryption Standard). The degree of security also depends on the length or bit size of the key. The longer the encryption key, the more difficult it is to break the cipher.
When using asymmetric encryption, the sender and the receiver each has a private encryption key and a public encryption key. Thereby, confidentiality, authentication and non-repudiation is achieved. Commonly used asymmetric encryption algorithms include, for example, RSA (Rhivest-Shamir-Adleman) and DH (Diffie-Hellman).
It is a well-known problem that sources for true random numbers are difficult to find. Physical noise generators, such as pulse detectors of ionizing radiation events, gas discharge tubes, and leaky capacitors, are one potential source. However, such devices are of limited utility in network security applications. For example, incorporating one of these devices into a hand-held device will require a complex and possibly bulky design of the hand-held device. Furthermore, there are problems both with the degree of randomness and the precision of numbers generated by such devices.
Another approach for obtaining random numbers for cryptographic applications is to use algorithmic techniques. However, these algorithms are deterministic and therefore produce sequences of numbers that are not statistically random. Such numbers are often referred to as pseudo random numbers.
A widely used technique for pseudo random number generation is the linear congruential method. A sequence of numbers is obtained via the following equationXn+1=(aXn+b)mod c,
where X0 is an initial number, i.e. the random seed. Usually, in a handheld device or a computer, the microseconds of the internal clock are used as random seed to initiate the algorithm.
One problem with the above-mentioned method is that once a value, the random seed, has been chosen, the subsequent numbers in the sequence follow deterministically. This means that someone having knowledge of a part of the sequence could theoretically determine subsequent elements of the sequence.
It is possible to implement more advanced random number generators that use the internal clock as random seed, for example such as the algorithm used in Bluetooth. This and similar algorithms are able to generate pseudo random numbers with improved statistical characteristics compared to the numbers generated by the linear congruential method. However, the pseudo random numbers are still of an insufficient quality in a statistical sense, i.e. when considering the degree of randomness.
Thus, there remains a problem in finding a method, that can be implemented in a system comprising hand-held devices, that provide random numbers of good quality, according to the above-mentioned criterions, for generation of encryption keys for use in encryption algorithms in order to provide a secure transmission of information between a sender and a receiver.